Re: Ransomware Protection

Re: Ransomware Protection

We have a computer that has all the documents encrypted - they all have got the extension .zepto. If I scan the computer with F-Secure PSB, it does not find any virus or trojan on the computer, and the computer is reported clean. But if I instead scan it with Spyhunter 4, it can find an infected file + it finds the bitmap on the desktop with the ransome text. It is being reported as Locky Ransomeware.

Is F-Secure a little slow on this variant of the virus, or is Spyhunter giving me a false positive?

Re: Ransomware Protection

Hello,

Modern ransomware codes delete themselves (the malicious binary executable) from the infected computer, after the task of encrypting all document and media files has been completed. That trick makes it difficult to analyze the infection. The only thing left behind are the textual and bitmap versions of the bitcoin ransom payment collection instructions.

Therefore, if your computer is already full of .zepto files, it is no wonder antivirus won't find any malicious binaries in the system, since there aren't any left!

As for how your computer got infected in the first place, despite active F-Secure protection, who knows? Official F-Secure Lab stance is that active DeepGuard protection running with full effort should stop all ransomware infection attempts. (The corresponding default settings are "DeepGuard Advanced Mode" checked in the corporate and institutional purpose F-Secure products and "DeepGuard use basic mode" UNchecked in home-consumer products.)

On the other hand, some competing vendors already include dedicated anti-ransomware / anti-cryptor protection technology in their antivirus suites, while Deepguard is a general purpose protection module that is also supposed to stop ransomware. That is not an ideal situation and partners have been asking F-Secure Corp. to include a dedicated anti-cryptor protection asset in their products.

Re: Ransomware Protection

Hello hje,

Please, check your scanning settings. By default the checkbox "Scan only known file types" is selected. If you uncheck the checkbox, all files will be scanned, and the infections which can't harm your machine directly by execution/opening will be found as well.

Re: Ransomware Protection

I have tried to uncheck the checkbox "Scan only known file types" and made a new scan, but it still does not find the ransomeware. According Spyhunter there are two type of infections on the computer, Locky Ransomware and Zepto Ransomeware. All the datafiles on the computer have been renamed a cryptical name and the extension.zepto.

Re: Ransomware Protection

Hello,

Modern ransomware codes delete themselves (the malicious binary executable) from the infected computer, after the task of encrypting all document and media files has been completed. That trick makes it difficult to analyze the infection. The only thing left behind are the textual and bitmap versions of the bitcoin ransom payment collection instructions.

Therefore, if your computer is already full of .zepto files, it is no wonder antivirus won't find any malicious binaries in the system, since there aren't any left!

As for how your computer got infected in the first place, despite active F-Secure protection, who knows? Official F-Secure Lab stance is that active DeepGuard protection running with full effort should stop all ransomware infection attempts. (The corresponding default settings are "DeepGuard Advanced Mode" checked in the corporate and institutional purpose F-Secure products and "DeepGuard use basic mode" UNchecked in home-consumer products.)

On the other hand, some competing vendors already include dedicated anti-ransomware / anti-cryptor protection technology in their antivirus suites, while Deepguard is a general purpose protection module that is also supposed to stop ransomware. That is not an ideal situation and partners have been asking F-Secure Corp. to include a dedicated anti-cryptor protection asset in their products.

Re: Ransomware Protection

Hi.

Thanks for info.

Yes it looks like the ransomeware is not active on the computer anymore, but what bothers me is that Spyhunter can find som leftovers of the virus, while F-Secure can not find anything. One of the files Spyhunter can reckognize is the bitmap on the desktop with the ransomeware text, but I can not see what the other two files are, that Spyhunter finds.

When I got to the infected computer the antivirus was somehow disabled, and thereby the computer was not protected as it should be. So nothing to blame F-Secure for there!

Re: Ransomware Protection

I think it is acceptable that F-Secure does not mark the bitmap as malicious. That file is not active, and is not doing any harm to your system. The only time I can think that detecting this file would be useful would be in an IPS product, where if you see this file you could disconnect the system from the network so it is not able to encrypt connected fileshares etc.

I am sure that this infection has caused you a lot of trouble today but as a fellow PSB customer I am glad to hear that your user had disabled their protections, and that Vad has confirmed that there are protections for this malware in the PSB product.